←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 4 comments | 10 Dec 25 07:06 UTC | HN request time: 0.001s | source
Show context
gschizas ◴[10 Dec 25 09:31 UTC] No.46215801[source]
The fact that most tools have completely different ways to allow them to add certificates is the biggest pain. Git, Python and Rust also have large issues. Git doesn't default to "http.schannel". Python (or rather requests, or maybe urllib3) only looks at its own certificate store, and I have no idea how Rust does this (well, I use uv, and it has its own problems - I know about the --use-native-tls flag, but it should be a default at the least).
replies(5): >>46215828 #>>46215876 #>>46216017 #>>46216074 #>>46216859 #
noroot ◴[10 Dec 25 10:05 UTC] No.46216017[source]
It's such a nightmare at my current job as well. Everything always just breaks and needs investigating how to fix.

Even putting aside the MITM and how horrendous that is, the amount of time lost from people dealing with the fallout got to have cost so much time (and money). I can't fathom why anyone competent would want to implement this, let alone not see how much friction and safety issues it causes everywhere.

replies(1): >>46216091 #
1. dcminter ◴[10 Dec 25 10:16 UTC] No.46216091[source]
> I can't fathom why anyone competent would want to implement this

Compliance. Big financial orgs. and the like must show that they are doing something about "data loss" and this, sadly, is the easiest way to do that.

There's money in it if you can show them a better way.

replies(3): >>46228079 #>>46228215 #>>46229691 #
2. musicale ◴[11 Dec 25 05:45 UTC] No.46228079[source]
> Compliance

With anti-security policies that: break TLS, thwart certificate pinning, encourage users to ignore certificate errors, expand the attack surface, increase data leak risks, etc. All while wasting resources and money.

Zscaler and its ilk have conned the IT world. Much like Crowdstrike did before it broke the airlines.

Not to mention:

> We only use data or metadata that does not contain customer or personal data for AI model training.

How reassuring.

https://www.zscaler.com/blogs/company-news/zscalers-commitme...

3. ◴[11 Dec 25 06:09 UTC] No.46228215[source]
4. crote ◴[11 Dec 25 10:27 UTC] No.46229691[source]
Big emphasis on the "show you're doing something" part: actually being effective isn't a requirement.